WTEU-50 – Securing your applications

WTEU-50 – Securing your applications

Date: Sunday 19th October 2014
Time: 3.30pm – 5.30pm British Summer Time (click here to check your local time)
Facilitators: Neil Studd, Daniel Billing
Participants: Trisha Agarwal, Julia Burmatova, Ioana Serban, Aleksandar Simic, Siim Sutrop, Pushpa Raj, Martin Ulst

This month we had a special guest presenter, with Dan Billing talking to us about security testing. Dan began by giving us an overview of his testing career to date, and his growing interest in security, including the battles that he faced in previous organisations in getting them to take their security responsibilities seriously.

Before diving in, the group began by enumerating as many different types of security risk as they could think of, or which they’d heard of before. We produced a large list:

  • Injection attacks, including (but not limited to) SQL injection
  • Poor end-user security, such as easily guessable passwords (and lack of system checks to prevent such passwords)
  • Brute-force password hacks
  • Elevated privileges, e.g. convincing the site that you are an administrator
  • Cross-site scripting
  • Denial of Service (DDoS) attacks
  • URL manipulation to access unauthorised pages, or changing parameters in URL
  • Redirecting/forwarding to a malicious site
  • Lack of encryption / sending sensitive data over non-secure connections
  • Man-in-the-middle attacks, especially over non-secure connections e.g. public wi-fi
  • Phishing / social engineering
  • Shoulder-surfing
  • Repudiation – performing a hack without leaving an audit trail, leaving no evidence of wrongdoing

The team discussed the potential impact to our business, should any of the above issues result in (for example) a major data breach. These risks include loss of reputation (and maybe therefore loss of customers), criminal liability, or in extreme cases, could result in loss of life. The risks are huge, yet (with so many other demands on our time) security testing is often treated as an afterthought. We spend so much time debating relatively minor user interface issues; couldn’t we siphon some of this time to investigate potentially major security issues?

In our experiences, such testing is often deferred to specialised consultants, such as an external penetration tester. As Siim Sutrop said: “Security testing seems to be usually some kind of high-end skill and thus no testers are delving into it”. In some cases, this is an industry or governmental requirement, but in this session, we aimed to arm testers with the tools and skills required to start making headway in everyday security testing. For example, if apostrophes in an input field produce some kind of “malformed SQL” error, that’s a tell-tale sign that there’s a SQL injection issue hiding there, even if you don’t know the exact SQL commands required to delete the database!

Testing Time

Dan introduced us to the demo website that we would be using for the session: Altoro Mutual, a sandbox banking application produced by IBM in order to showcase their security testing tools. We were advised not to use Chrome for this test, as Chrome makes its own attempts to sanitise inputs in order to prevent malicious attacks, making vulnerabilities harder to detect in Chrome.

One point that we reiterated throughout the session (and is displayed here deliberately in bold!) is that you should ALWAYS seek permission before attempting tests such as these on any real sites, including your own company’s, as you are otherwise leaving yourself open to potential legal issues.

We analysed the demo banking site, discussing the bank’s main assets. As well as sensitive customer information, one of their major assets is their brand; hackers will look to take advantage of this, by (for example) exploiting users’ faith in the bank and their willingness to ignore any weird behaviour on a site that they trust. We looked at the site’s major entry points, focusing mostly on the login page; Ioana Serban and Martin Ulst quickly gained access to the site’s admin account simply by guessing logins (username: admin, password: admin). This is an example of how poor password management or authentication practices can override even the strongest of systems!

Dan introduced us to the Open Source Web Application Security Project, using its annual OWASP Top 10 to illustrate the most common types of attack which are often performed against sites. Dan illustrated how he could very quickly chain these together to firstly reveal a list of files on the web server, and then exploit an idiosyncrasy of how the site renders its content pages, which allowed users to access the raw C# source code for the application. (You can follow along in the session transcript, between the 16:20 and 16:30 timestamps.)

Next, having reviewed the format of the SQL queries within the C# source code, Dan showed us a couple of ways in which we could exploit this through injection attacks. Firstly, having established a valid username by using the site’s information disclosure to our advantage (the site gives different responses for “invalid username” and “valid username but invalid password”), we could bypass the password check by entering the password as ‘ OR 1=1–‘. Secondly, as we moved on to discuss tools such as Fiddler which can intercept and modify HTTP requests, Dan showed an elegant hack which, by modifying the request headers to include an unexpected SQL query, could result in the site unexpectedly returning the username and password of all accounts in the system (appearing as username-password pairs in the account dropdown):

This latter example was framed around an overview of how tools such as Fiddler and ZAP can help you to uncover and then pinpoint vulnerabilities. With limited time available during the session, we couldn’t dwell on these for too long, but there seemed to be a lot of interest in having a future Weekend Testing session dedicated to learning such tools. For the time being, you can find more information in the “Further Reading” section, but expect a revisit in the not too distant future!

Next Steps

With time running out after an energetic session, we began to focus-in on how we can begin to integrate security testing into our daily activities, given a finite amount of time and a near-infinite amount of work already on our plates. Dan reiterated that getting buy-in from the business is critical, as is securing a demo/test environment for the tests (so that if it gets trashed, you haven’t just destroyed your live system). Dan’s next tip was to do lots of reading, and understanding the underlying communication between user, browser and web-server. The OWASP website is an excellent starting point, and we discussed a bunch of other resources (such as security experts’ websites, Twitter feeds, courses and books), all of which you’ll find linked in the section below.

As we wrapped-up the meeting, attendees agreed that the “guest speaker” format had been a huge success, as Dan’s expertise had brought serious insight into the session. There were repeated calls for a follow-up session where we could go more in-depth, possibly focused around one or more of the tools that we’d discussed, so the group’s passion for learning had clearly been stimulated by Dan’s talk. For Amy and I, it’s on to planning WTEU-51, which could again be security-focused, and recruiting other guests for future focused sessions; for the session attendees, it’s onto discovering what their new-found security testing know-how can reveal in their products (once they’ve received agreement from their management and stakeholders, of course!)

Further Reading and Resources

Below you’ll find a whole lot of things that we referenced during the session, or that we’d hoped to reference but ran out of time. We’ll look to address these in a future session!

As well as reviewing this list, we hugely recommend Daniel Miessler’s Web Application Security Testing Resources page, as it’s a much more comprehensive list on the subject!

Session Transcript

Other demo web applications for finding vulnerabilities:

Similar recent Weekend Testing sessions:

Tools to assist with security analysis:

Security-focused blogs, Twitter accounts, other online resources

Training Courses

Books

About the Author

Neil is a tester from the United Kingdom who has been testing desktop, mobile and web applications for the past ten years, working in a range of agile roles for organisations as varied as Oracle and Last.fm. In his spare time, he participates in freelance and beta testing projects, as a way of learning and developing new approaches to testing.